My next class:

Help with odd port scans

Published: 2010-11-24. Last Updated: 2010-11-24 22:58:41 UTC
by Jim Clausing (Version: 1)
14 comment(s)

I have to admit, I've gotten a little lazy about reading through my firewall logs on my home machine every day, but today, I was looking back through my daily reports for the last 2 weeks and noticed a couple of odd port scans.  I've been getting these scans from multiple IPs (2-4 of each per day) everyday for that period.  I'll put up a netcat listener this evening to see if I can get some packets, but I was wondering if any of our loyal readers had any idea what is going on here?  Based on some of the ports being scanned, I'm guessing they are looking for open proxies to use as relays among other things, but some of those ports are new to me.  Has anyone else seen them or know what they are actually looking for?

    From aa.bb.cc.dd - 252 packets
       To my.home.machine - 252 packets
          Service: snmp (udp/161) (IPTABLES UDP-IN:) - 36 packets
          Service: 3389 (tcp/3389) (IPTABLES TCP-IN:) - 54 packets
          Service: 5900 (tcp/5900) (IPTABLES TCP-IN:) - 54 packets
          Service: http-alt (tcp/8080) (IPTABLES TCP-IN:) - 54 packets
          Service: 40080 (tcp/40080) (IPTABLES TCP-IN:) - 54 packets
 

    From ee.ff.gg.hh - 32 packets
       To my.home.machine - 32 packets
          Service: 73 (tcp/73) (IPTABLES TCP-IN:) - 1 packet
          Service: socks (tcp/1080) (IPTABLES TCP-IN:) - 1 packet
          Service: 2301 (tcp/2301) (IPTABLES TCP-IN:) - 1 packet
          Service: 2479 (tcp/2479) (IPTABLES TCP-IN:) - 2 packets
          Service: 3128 (tcp/3128) (IPTABLES TCP-IN:) - 2 packets
          Service: 3246 (tcp/3246) (IPTABLES TCP-IN:) - 3 packets
          Service: 6588 (tcp/6588) (IPTABLES TCP-IN:) - 1 packet
          Service: 8000 (tcp/8000) (IPTABLES TCP-IN:) - 2 packets
          Service: 8085 (tcp/8085) (IPTABLES TCP-IN:) - 4 packets
          Service: 8090 (tcp/8090) (IPTABLES TCP-IN:) - 2 packets
          Service: 8118 (tcp/8118) (IPTABLES TCP-IN:) - 1 packet
          Service: 9000 (tcp/9000) (IPTABLES TCP-IN:) - 4 packets
          Service: 9090 (tcp/9090) (IPTABLES TCP-IN:) - 4 packets
          Service: 9415 (tcp/9415) (IPTABLES TCP-IN:) - 2 packets
          Service: 27977 (tcp/27977) (IPTABLES TCP-IN:) - 2 packets
 

---------------
Jim Clausing, GSE #26
jclausing --at-- isc [dot] sans (dot) org

Keywords: port scan
14 comment(s)
My next class:

Comments

The 252 packet sample appears to be a search for standard remote access, web, and snmp ports. Normal noise. But was the second scan coming from IPs on a Chinese IP block? I see these port scan pattern all day long on various networks, particularly Comcast broadband networks, usually sourced from China, but occasionally from sites in Europe. Any chance the source port is 12200 or 6000?
looks pretty ordinary as far as scans go - just snooping I'd say.
I see such traffic all the day around.These are port scans from different IP's all around the world.Mainly from China,Brazil and Russia .The source port also include 11000 & 14000.I also see port horizontal & vertical scans on port 1433(SQL) & 10000(Vertias remote backup).The best way is to block these IP's at border router so that they do not even reach the firewall for a period of around 30 days.
Yup, many of the source ports are 12200
Yeah, I am mostly just wondering what they were looking for on, for example, tcp 73, tcp 2301, or tcp 40080. Are those standard proxy ports? I also thought the SNMP along with the remote access was an odd combination.
I don't believe they're typically used. If I remember, I've seen 2301 and 40080 in reference to network gaming ports.
Those scans propably looking for open proxies, different servers (tomcat,sql etc. control panel ports), voip and some other stuff like that.
That I see everyday in all my webservers.

Also I check what google said about that 12200 sourceport and found one interesting line from one discussion board:
"I guess it may be possible that someone is using ghostsurf to attempt to use someone else's ghostsurf open proxy installation as part of a multilayer proxy."
So maybe just normal scanning all around.
Source port 12200 is definitely Ghostsurf but seems to have load balancing capabilities too. My firewall was getting pummeled from China on that port...destination ports were almost always the usual remote access ports you showed Jim. Those who say China isn't up to something is seriously nuts.
Agreed. Even though the government of China certainly isn't behind all of it, or probably even much of it, they still run all external traffic through the Great Firewall of China. At a minimum I'm sure they're passively logging all attacks going outbound, logging whether they were successful and building a catalog of vulnerable systems for possible future use.

Just like other governments around the world are doing. :-)
3389 is Windows RDP and 5900 is default for VNC.

Diary Archives